Last updated: 2024-03-12

1. Learn
2. ›
3. Next Steps
4. ›
5. Keycloak Configuration

Configuration of Keycloak for Spring Boot

To connect our Spring Boot application to an external Keycloak server, there are a couple of required or useful settings. This article covers the configuration of a Keycloak server for local development, or as a basic guideline for online servers. How to connect Keycloak to our Spring Boot app using OAuth/OIDC is described in this article.

If Keycloak has been enabled in the Security tab in Bootify, the setup described below is required. A file keycloak-realm.json is available in the project root or in the src/test/resources folder if integration tests are enabled. This can be used to generate a realm with exactly this setup. This file already contains a test user and a project specific secret. When using the DevServer, the redirect URLs must include the port 8081 as well.

Keycloak download and first start

First of all Keycloak should be downloaded in the current version 24.0.3. The zip file is available here. After unpacking, the server can be started using ./bin/kc.sh start-dev --http-port 8085 (or kc.bat under Windows). By using port 8085 there will be no conflict with the default port of our Spring Boot application.

Our local Keycloak server should now be accessible at http://localhost:8085. After the first start we need to provide the admin credentials to access the administration UI.

Create Keycloak realm

After we are logged in as admin, we first create our realm without providing a resource file. Here we use "bootify" as realm name.

In the Realm settings we activate the user registration - this will allow a user to register himself if he does not have a login yet.

We also enable the "Email as username" option - so there is no need to specify a dedicated username.

Create Keycloak client

The client in this context describes an application that can connect to Keycloak - so this corresponds to our Spring Boot application. We create it within our new realm.

Within the "Capability config" we select the client authentication. If we are working with server-side rendering, we can active this setting - so our server must store and provide a secret. If we are working with a client SPA like Angular, we must deactivate this setting - as we cannot securely safe the secret, the OIDC type is public and no secret must be provided.

We specify http://localhost:8080/* as a valid redirect URL for development - add port 8081 on top when using the DevServer.

Since we have already activated the client authentication, the tab "Credentials" is available for our client. Here we can now generate the secret and enter it in the application.yml / application.properties of our Spring Boot app. The key for that is spring.security.oauth2.client.registration.{provider-id}.client-secret - further settings are described in the already linked article.

Role configuration

Since Keycloak is primarily an IDP (Identity Provider), it also makes sense to manage the roles within Keycloak. To do this, we first need to create a role and later provide it to our Spring Boot app via the ID token.

In the Realm Settings under the tab "User registration" we now automatically assign our role to each registered user.

This means that our users already have the desired role - but we still have to make it available in our application. To do this, we first select our created application under "Clients" and then go to the dedicated scopes in the "Client scopes" tab.

Here we select the predefined mapper "Realm role".

When creating it, we also activate the "Add to ID Token" option.

This completes our Keycloak setup! When we connect our Spring Boot application to our client as described, users can register and log in on their own. Users are automatically assigned the ROLE_USER which we can read via the ID token within our Spring Security config.